General

  • Target

    9d46b723ec666db3e73ae900c474d660

  • Size

    290KB

  • Sample

    220521-tr5bjaabb8

  • MD5

    9d46b723ec666db3e73ae900c474d660

  • SHA1

    a801d00b65f847806ea5c2496c62efae283b3a94

  • SHA256

    80bb4f3c9e2ea5ea1ca55ffa2a5fd303058c240133d32b93e7c89a96712a5cba

  • SHA512

    4d26098cac7368afb62c41b3c9a06870f6ae3d1fe4883ba9a4d5755d9a2e363b2d8cba55ec637ab24362a32a2c4c362d0192659a5abd62f87c2f0b0a9ed3c9cc

Malware Config

Extracted

Family

njrat

Version

im523

Botnet

WormRATT

C2

178.33.93.88:1742

Mutex

7869d44e9b90d6b1e669bf52c9e89c61

Attributes
  • reg_key

    7869d44e9b90d6b1e669bf52c9e89c61

  • splitter

    |'|'|

Targets

    • Target

      9d46b723ec666db3e73ae900c474d660

    • Size

      290KB

    • MD5

      9d46b723ec666db3e73ae900c474d660

    • SHA1

      a801d00b65f847806ea5c2496c62efae283b3a94

    • SHA256

      80bb4f3c9e2ea5ea1ca55ffa2a5fd303058c240133d32b93e7c89a96712a5cba

    • SHA512

      4d26098cac7368afb62c41b3c9a06870f6ae3d1fe4883ba9a4d5755d9a2e363b2d8cba55ec637ab24362a32a2c4c362d0192659a5abd62f87c2f0b0a9ed3c9cc

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Modifies Windows Firewall

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1
T1091

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Tasks